--- /dev/null
+Description: CVE-2015-2326: heap buffer overflow in pcre_compile2()
+ Fix bad compilation for patterns like /((?+1)(\1))/ with
+ forward reference subroutine and recursive back reference within the same
+ group.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1529
+Bug: http://bugs.exim.org/show_bug.cgi?id=1592
+Bug-Debian: https://bugs.debian.org/783285
+Forwarded: not-needed
+Last-Update: 2015-09-10
+Applied-Upstream: 8.36
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -8027,6 +8027,7 @@ int length;
+ unsigned int orig_bracount;
+ unsigned int max_bracount;
+ branch_chain bc;
++size_t save_hwm_offset;
+
+ /* If set, call the external function that checks for stack availability. */
+
+@@ -8044,6 +8045,8 @@ bc.current_branch = code;
+ firstchar = reqchar = 0;
+ firstcharflags = reqcharflags = REQ_UNSET;
+
++save_hwm_offset = cd->hwm - cd->start_workspace;
++
+ /* Accumulate the length for use in the pre-compile phase. Start with the
+ length of the BRA and KET and any extra bytes that are required at the
+ beginning. We accumulate in a local variable to save frequent testing of
+@@ -8246,7 +8249,7 @@ for (;;)
+ {
+ *code = OP_END;
+ adjust_recurse(start_bracket, 1 + LINK_SIZE,
+- (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace);
++ (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
+ memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
+ IN_UCHARS(code - start_bracket));
+ *start_bracket = OP_ONCE;
+--- a/testdata/testinput11
++++ b/testdata/testinput11
+@@ -134,4 +134,6 @@ is required for these tests. --/
+
+ /(((a\2)|(a*)\g<-1>))*a?/B
+
++/((?+1)(\1))/B
++
+ /-- End of testinput11 --/
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4066,4 +4066,6 @@ backtracking verbs. --/
+
+ "((?2){0,1999}())?"
+
++/((?+1)(\1))/BZ
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput11-16
++++ b/testdata/testoutput11-16
+@@ -733,4 +733,19 @@ Memory allocation (code space): 14
+ 41 End
+ ------------------------------------------------------------------
+
++/((?+1)(\1))/B
++------------------------------------------------------------------
++ 0 20 Bra
++ 2 16 Once
++ 4 12 CBra 1
++ 7 9 Recurse
++ 9 5 CBra 2
++ 12 \1
++ 14 5 Ket
++ 16 12 Ket
++ 18 16 Ket
++ 20 20 Ket
++ 22 End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- a/testdata/testoutput11-32
++++ b/testdata/testoutput11-32
+@@ -733,4 +733,19 @@ Memory allocation (code space): 28
+ 41 End
+ ------------------------------------------------------------------
+
++/((?+1)(\1))/B
++------------------------------------------------------------------
++ 0 20 Bra
++ 2 16 Once
++ 4 12 CBra 1
++ 7 9 Recurse
++ 9 5 CBra 2
++ 12 \1
++ 14 5 Ket
++ 16 12 Ket
++ 18 16 Ket
++ 20 20 Ket
++ 22 End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- a/testdata/testoutput11-8
++++ b/testdata/testoutput11-8
+@@ -733,4 +733,19 @@ Memory allocation (code space): 10
+ 60 End
+ ------------------------------------------------------------------
+
++/((?+1)(\1))/B
++------------------------------------------------------------------
++ 0 31 Bra
++ 3 25 Once
++ 6 19 CBra 1
++ 11 14 Recurse
++ 14 8 CBra 2
++ 19 \1
++ 22 8 Ket
++ 25 19 Ket
++ 28 25 Ket
++ 31 31 Ket
++ 34 End
++------------------------------------------------------------------
++
+ /-- End of testinput11 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14175,4 +14175,19 @@ Failed: parentheses are too deeply neste
+
+ "((?2){0,1999}())?"
+
++/((?+1)(\1))/BZ
++------------------------------------------------------------------
++ Bra
++ Once
++ CBra 1
++ Recurse
++ CBra 2
++ \1
++ Ket
++ Ket
++ Ket
++ Ket
++ End
++------------------------------------------------------------------
++
+ /-- End of testinput2 --/
~ian / pcre3.git / blobdiff